security vulnerabilities decomposition
play

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 - PowerPoint PPT Presentation

Mar 11, 2024 •742 likes •1.21k views

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

  1. Security Vulnerabilities Decomposition Katy Anton

  2. OWASP Top 10 @KatyAnton

  3. When the report is published @KatyAnton

  4. Katy Anton • Software development background • Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls) • Principle Application Security Consultant @KatyAnton

  5. C ommon W eakness E numeration A formal list for of software security weaknesses in: • architecture • design • code Source: https://cwe.mitre.org/ @KatyAnton

  6. NVD: CWE Categories Source: https://nvd.nist.gov/vuln/categories/cwe-layout @KatyAnton

  7. Injection Category @KatyAnton

  8. CWEs in Injection Category • CWE-78: OS Cmd Inj CWE-77: Commmand Injection CWE-78: Argument Inj CWE-78: XSS CWE-91: XML Injection CWE-74 Injection CWE-93: CRLF Injection CWE-94: Code Injection CWE-89: SQL Injection CWE-943: Improper Neutr. of Special El in Query CWE-90: LDAP Injection Source: NVD @KatyAnton

  9. @KatyAnton

  10. Is there another way to look at it? @KatyAnton

  11. Decompose the Injection Data interpreted as Code Input Parser Output Get / Post Data SQL Parser SQL HTML Parser HTML File Uploads XML Parser XML HTTP Headers Shell Bash Script Database Data LDAP Parser LDAP Query Config files @KatyAnton

  12. Extract Security Controls Output Input Parser Vulnerability Encode Output Parameterize Validate Input R R XSS R R SQL Injection R R XML Injection R R Code Injection R R LDAP Injection R R Cmd Injection Primary Controls Defence in depth @KatyAnton

  13. Intrusions (or lack of Intrusion Detection) @KatyAnton

  14. If a pen tester is able to get into a system without being detected, then there is insufficient logging and monitoring in place @KatyAnton

  15. Security Controls: Security Logging The security control developers can use to log security information during the runtime operation of an application. @KatyAnton

  16. The 6 Best Types of Detection Points Good attack identifiers: 1. Authorisation failures 2. Authentication failures 3. Client-side input validation bypass 4. Whitelist input validation failures 5. Obvious code injection attack 6. High rate of function use @KatyAnton

  17. Examples of Intrusion Detection Points Request Exceptions • Application receives GET when expecting POST • Additional form /URL parameters @KatyAnton

  18. Examples of Intrusion Detection Points Authentication Exceptions • Additional variables received during an authentication like ‘admin=true’’ • Providing only one of the credentials The user submits POST request which only contains the username variable. The password was removed. @KatyAnton

  19. Examples of Intrusion Detection Points Input Exceptions • Input validation failure on server despite client side validation • Input validation failure on server side on non-user editable parameters • e.q:hidden fields, checkboxes, radio buttons, etc S @KatyAnton

  20. Secure Data Handling: Basic Workflow Application Server Operating System Log Exceptions Software Application Param Queries Encode output Validate Data @KatyAnton

  21. Sensitive Date Exposure Data at Rest and in Transit @KatyAnton

  22. Data Data Types Encryption Hashing Data at Rest : Requires initial value R E.q: credit card Data at Rest : Doesn’t require initial value R E.q: user passwords R Data in Transit @KatyAnton

  23. Data at Rest: Design Vulnerability example How Not to Do it ! In the same folder - 2 file: The content of password.txt: encryption_key = PBKF2(psswd, salt, iterations, key_length); @KatyAnton

  24. Encryption: Security Controls Strong Encryption Algorithm: AES Key Management • Store unencrypted keys away from the encrypted data. • Protect keys in a Key Vault (Hashicorp Vault / Amazon KMS) • Keep away from home grown key management solutions. • Define a key lifecycle. • Build support for changing algorithms and keys when needed • Document procedures for managing keys through the lifecycle Source: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html @KatyAnton

  25. Data in Transit: Security Controls Application Server Operating System TLS TLS • Software Application TLS TLS @KatyAnton

  26. Third Party Components Using Software Components with Known Vulnerabilities @KatyAnton

  27. State of Software Security Apps with at least 1 vulnerable component: • 85.7% of .Net applications • 92% of C++ applications Source: https://www.veracode.com/state-of-software-security-report @KatyAnton

  28. Root Cause • Difficult to understand • Easy to break • Difficult to test • Difficult to upgrade • Increase technical debt @KatyAnton

  29. What is Attack Surface? Sum of the total different points through which a malicious actor can try to enter data into or extract data from an environment. @KatyAnton

  30. Fundamental Security Principle Minimize the attack surface area @KatyAnton

  31. Components Examples Example of external components: • Open source libraries - for example: a logging library • APIs - for example: vendor APIs • Packages by another team within same company @KatyAnton

  32. Example 1: Implement Logging Library • Third-party - provides logging levels: • FATAL, ERROR, WARN, INFO, DEBUG. • We need only: • DEBUG, WARN, INFO. @KatyAnton

  33. Simple Wrapper Module Helps to: Module Module • Expose only the functionality Module required. Module Module • Hide unwanted behaviour. Module Interface • Reduce the attack surface area. • Update or replace libraries. Third-Party Library • Reduce the technical debt. @KatyAnton

  34. Example 2: Implement a Payment Gateway Scenario: • Vendor APIs - like payment gateways • Can have more than payment gateway one in application • Require to be inter-changed @KatyAnton

  35. Adapter Design Pattern • Converts from provided interface Your Code to the required interface. • A single Adapter interface can work with many Adaptees. Adapter • Easy to maintain. Third-party code @KatyAnton

  36. Example 3: Implement a Single Sign-On • Libraries / packages created by another team within same company • Re-used by multiple applications • Common practice in large companies @KatyAnton

  37. Façade Design Pattern • Simplifies the interaction with a complex sub-system • Make easier to use a poorly designed API • It can hide away the details from the client. • Reduces dependencies on the outside code. @KatyAnton

  38. Secure Software Starts from Design ! Wrapper Adapter Pattern Façade Pattern To expose only required To convert from the required To simplify the interaction with functionality and hide unwanted interface to provided interface a complex sub-system. behaviour. Module Module Your Code Module Module Module Module Module Module Module Module Module Module Module Module Adapter Facade Interface Third-party code Complex sub-system Third-Party Library

  39. How often ? @KatyAnton

  40. Rick Rescorla • United States Army office of British origin • Born in Hayle, Cornwall, UK • Director of Security for Morgan Stanley at WTC @KatyAnton

  41. Security Controls Recap @KatyAnton

  42. Security Controls In Development Cycle Application Server OS Command Logs Operating System Log Exception Software Application Param Data Secure Date Key Management Encapsulation Param Queries Mo Mo Mo Mo Mo Mo Encode Validate Mo Encap output TLS Input Librar TLS TLS @KatyAnton

  43. Final Takeaways Focus on CWEs CWEs Security which prevent Verify Early and Often Controls @KatyAnton

  44. References • OWASP Top 10 Proactive Controls https://owasp.org/www-project-proactive-controls/ • OWASP Cheat Series https://cheatsheetseries.owasp.org/ @KatyAnton

  45. Thank you very much @KatyAnton @KatyAnton

Recommend

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

601 views • 14 slides
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @ Symantec Speaker at Hakon and Geek Street - Infosecurity Europe Bug Hunter | Penetration Tester Security Blogger @tiger_tigerboy

801 views • 38 slides
(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at Swisscom frei@techzoom.net Twitter @stefan_frei Cyber & Networking Security Networking security has become critical issue for all types

788 views • 66 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats Create defensive measures Evaluate security software What this talk is about Windows rootkits How they are used How they work

790 views • 54 slides
Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities are there in the software implementing all this smart grid functionality and the underlying protocols? Erik Poll Radboud University Nijmegen Moti

351 views • 33 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com Introduction $whoami Pavol Luptk 10+ years of practical experience in security and seeking

594 views • 15 slides
Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of Informatics University of Edinburgh 24th February 2014 Outline Introduction Network and transport-level vulnerabilities Higher-level protocol

1.01k views • 88 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Responsible disclosure process vulnerabilities of IP security cameras Kiberahs 2016

Responsible disclosure process vulnerabilities of IP security cameras Kiberahs 2016

Responsible disclosure process vulnerabilities of IP security cameras Kiberahs 2016 @KirilsSolovjovs 06.10.2016. kirils.org Me in a slide IT security expert; researcher at 1 st Ltd, Latvia Skills: network flow analysis, reverse

529 views • 20 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities > analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
Security vulnerabilities for grown-ups Vitaly Osipov Atlassian Tuesday, 22 May 1 Or: 7

Security vulnerabilities for grown-ups Vitaly Osipov Atlassian Tuesday, 22 May 1 Or: 7

Security vulnerabilities for grown-ups Vitaly Osipov Atlassian Tuesday, 22 May 1 Or: 7 product security lessons I learned @Atlassian Tuesday, 22 May 2 Disclaimer All good parts of this talk Are learned from my colleagues Any errors Are

741 views • 49 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities & Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

840 views • 61 slides
CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2 XSS-0 : client-side XSS-1 : reflective XSS-2 : persistent XSS Is Exceedingly Common 3 Web Hacking Incident Database (1999 -

887 views • 44 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides

More recommend